August 22, 2016

Why Employee Training Might be the Most Critical Security Strategy Ever

One of the most intriguing findings from the 2014 Cyber Security Intelligence Index, wrote a blogger at securityintelligence.com, is that 95% of all security incidents involve human error.

The findings put the spotlight on both external attacks that trick employees into providing access to sensitive information and on-the-job mistakes by employees that lead to data breaches.

But they also highlight the significance of information security training in maintaining office security, which was an important theme – and emerging challenge – identified by the 2016 Shred-it State of the Industry Report.

Drawing on the annual Shred-it Information Security Tracker by Ipsos, the report concluded that training employees in information security is one of the most important strategies today to protect an organisation’s confidential information and to keep data security a priority in the workplace.

What are the key aspects of information security training? Here's an office security checklist: 

  • Security awareness must be company-wide.  Protecting confidential information must be a commitment from the top down, starting with the CEO and C-Suite. As part of a culture of security, training should provide every employee with a comprehensive understanding of the office security policy in order to enable them to always make the right decisions about protecting information. 
  • Knowledge and skills are both necessary. Security experts say that the best security technology such as firewalls and password protection will fail if employees do not know how to identify and avoid security risks. Training must provide both theory and practical best practices.
  • Training must be ongoing:  Ongoing training is critical for keeping security policies and procedures a priority in and out of the workplace.The State of the Industry Report showed that many businesses around the world fall short. In the UK, for example, 34% of SMEs never train employees, and 32% only do it on an ad-hoc basis.
  • Remind employees. Communicate security awareness and educate employees in different ways. For example, hang reminder posters and include references in emails, memos, meetings, and even promotions. Comprehensive employee policies teach security too. A Clean Desk Policy helps keep work areas clean and tidy. A Shred-it all Policy requires that all documents are securely destroyed when they are no longer needed.
  • Utilise employee ambassadors: The State of the Industry Report underlined the importance of developing an information security ambassador programme so there are liaison points for information security throughout the organisation. Ambassadors, who are volunteers, help educate employees, build awareness, and influence secure behaviours.
  • Address the mobile workforce.  The 2016 Security Tracker showed that 97% of C-Suites and 55% of SMEs have at least some employees currently using a flexible or off-site working model. But only about one-third of C-Suites and 8% of SMEs have information security policies for off-site work environments. Best practices include not leaving hardware or any confidential materials in vehicles, hotels, etc. Avoid visual hacking by protecting visible information on devices in public places. Return paper products and digital media that are no longer needed to the workplace for proper disposal. Partner with a reliable information destruction provider for disposal and destruction services.

A comprehensive document management policy is beneficial for two reasons: it systematically protects information from creation until disposal, and it teaches employees to protect information too.